Researchers Release Free TRITON/TRISIS Malware Detection Tools

Team of experts re-creates the TRITON/TRISIS attack to better understand the epic hack of an energy plant that ultimately failed.

BLACK HAT USA – Las Vegas – A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for detecting it.

Researchers from Nozomi Networks, along with independent ICS expert Marina Krotofil, previously with FireEye, today demonstrated how the malware works, as well as a simulation of how it could be used to wage a destructive attack. TRITON/TRISIS was discovered in 2017 in a Middle Eastern plant after an apparent failure in the attack shut down its Triconex safety systems. No official payload was ever deployed or found, so researchers, to date, have only been able to speculate about the attackers' ultimate plans.

Nozomi Networks recently released the TriStation Protocol Plug-in for Wireshark that the researchers wrote to dissect the Triconex system's proprietary TriStation protocol. The free tool can detect TRITON malware communicating in the network, as well as gather intelligence on the communication, translate function codes, and extract PLC programs that it is transmitting.

The researchers today added a second free TRITON defense tool, the Triconex Honeypot Tool, which simulates the controller so that ICS organizations can set up SIS lures (honeypots) to detect TRITON reconnaissance scans and attack attempts on their safety networks.

Andrea Carcano, founder and chief product officer at Nozomi, says he and his team re-created the attack in their lab, and found that writing custom malware like TRITON/Trisis would not be as difficult or as expensive as you'd think. TriStation software sells for about $3, for example, on one e-commerce website in China, and the hardware sells for anywhere from $5,000 to $10,000 on eBay and Alibaba. The TriStation engineering software file names have information on the software architecture and structure, Carcano said.

"Everyone believed this malware was more sophisticated," he says. "But if you have a little knowledge and patience, you can go online and download the manuals, software, and buy a Triconex controller on eBay like we did ... and build the attack in your house."

Schneider Electric, meanwhile, maintains that a TRITON-type attack would require a skilled threat actor. Andy Kling, director of cybersecurity and system architecture for Schneider, notes that even if an attacker had the Triconex equipment on hand, the attacker would still need to understand how it works. "You'd still need to have a certain level of understanding of how not to step on the safety program and how to stealthily inject this malware into the device," he says. "Those skills, we believe, are still pretty high."

Kling says Schneider is still operating under the same working theory that the TRITON malware was "in development" and that the attackers likely hadn't yet completed their malware arsenal for fully deploying the remote access Trojan. "Or perhaps they had another team and they had not gotten to the final payload piece," he said.

Liam O'Murchu, director of security technology and response at Symantec, says there are still plenty of questions surrounding the intention of the attack and whether it was a test-run or a failed attack. "Was it a competitor trying to take over another competitor? That's one suspicion about it," he says. "They were specifically focused on that particular target."

During its forensic investigation of the attack, Schneider wrote its own malware detection tool for TRITON. "We have been running the program to help our customers see if they were infected by it," Kling says. "We've been running it for months, and there have been no 'positive' [detection] results worldwide, and no new indicators of compromise."

Another HoleWhile analyzing TRITON, the Nozomi researchers also stumbled on a built-in backdoor maintenance function in the Triconex TriStation 1131 version 4.9 controller.

"We also found two undocumented power users with hard-coded credentials," Nozomi wrote in a blog post today. "One of the power user's login enabled a hidden menu, which from an attacker's perspective, could be useful."

But Carcano says the feature was not part of the TRITON malware attack. That maintenance support feature has basically been phased out of later versions of the TriStation.

"Fifteen years ago, when those products were developed, you would have a support account built into the products. That was the norm," says Schneider Electric's Kling. But later versions of the software, from 4.9.1 and up, included recommendations and the ability to delete the account.

"As then time went on, [we added] a secure version of this product, and this [support] account no longer exists," he says.

Kling says Triconex users should update their software if they're still running the older 4.9 version.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed...

An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted X...